Post Office Protocol (POP3)

Email retrieval protocol for downloading messages from mail servers.

1. The Role of POP3 in the Email Ecosystem

Post Office Protocol version 3 (POP3) is one of the oldest and most fundamental protocols on the internet for retrieving electronic mail. To understand its role, it's helpful to use a real-world analogy. The Simple Mail Transfer Protocol (SMTP) acts as the global postal service, responsible for transporting your email from the sender all the way to the recipient's destination mail server. In this analogy, the mail server is the local post office, and your specific email account is your personal P.O. Box.

Once the letter (your email) has arrived at the post office (the mail server), SMTP's job is done. Now, you need a way to go to the post office and collect your mail. This is precisely the role of POP3. It is a client-server protocol that an email client application, known as a , uses to connect to a mail server and download messages from a user's mailbox. It is designed to be a simple, efficient mechanism for moving mail from a server to a single, local computer.

2. Core Characteristics of POP3

The design and behavior of POP3 are defined by a few key characteristics that stem from its origins in an earlier era of the internet.

  • Simple Download-and-Delete Workflow

    The most defining feature of POP3 is its standard workflow. By default, when your email client connects to the server, it downloads all available messages to your local device (your computer's hard drive). After the download is complete and successful, the client typically instructs the server to delete those messages. This means the definitive copy of your emails is stored locally on your device, not on the server.

  • Designed for a Single Client

    POP3 was designed with the assumption that a user would access their email from one primary computer. The download-and-delete model is very efficient for this scenario. However, it creates significant challenges in today's multi-device world. If you check your email on your phone, the messages are downloaded there and removed from the server. When you later open your laptop, those emails will be gone, as they no longer exist on the server to be downloaded. This lack of synchronization is the biggest drawback of POP3.

  • Offline Access as a Primary Feature

    Because all messages are downloaded and stored locally, POP3 is excellent for offline access. Once the mail is on your computer, you can read, reply to, delete, and organize your emails without needing an active internet connection. Your replies will be queued up and sent the next time your client goes online.

  • Minimal Server Storage Requirements

    A direct consequence of the download-and-delete model is that it is very resource-friendly for the mail server. Since emails are not permanently stored on the server, the required storage space per user is minimal. This was a significant advantage in the early days of the internet when server storage was expensive.

  • Designated Communication Ports

    POP3 uses standardized network ports to listen for client connections:

    • Port 110: The default port for unencrypted POP3 communication. Data, including your password, is sent in plain text.
    • Port 995: The standard port for secure POP3, known as POP3S. The entire connection is encrypted from the start using SSL/TLS, protecting your credentials and email content from eavesdropping.

3. The Three States of a POP3 Session

A POP3 session is a structured, stateful process that progresses through three distinct phases.

  1. The AUTHORIZATION State

    This is the initial phase where the client authenticates itself to the server. No mail-related operations can be performed until authentication is successful. During this state, the server acquires an exclusive lock on the user's mailbox to prevent simultaneous access issues.

  2. The TRANSACTION State

    Once authorized, the session enters the transaction state. Here, the client can issue commands to interact with the mailbox. The client can list messages, retrieve messages, and mark messages for deletion. All actions in this phase, including marking for deletion, are reversible until the session enters the final state.

  3. The UPDATE State

    The session transitions to the update state when the client sends the 'QUIT' command. At this point, the server performs the committed actions: it permanently deletes all messages that were marked for deletion during the transaction state. After the deletions are complete, the server releases the mailbox lock and closes the TCP connection. If the connection is broken for any reason before the 'QUIT' command is issued (e.g., a network error), the session does not enter the update state, and the mailbox is reset to its original state, meaning no messages are deleted.

4. A Detailed POP3 Command Walkthrough

The communication in POP3 is a simple command-and-response dialogue. The server's responses are straightforward: '+OK' for a successful command, and '-ERR' for an error.

Phase 1: Authorization

  1. Client connects via TCP to the server on port 110.
  2. Server sends a greeting.
    Server: +OK POP3 server ready <[email protected]>
  3. Client sends username.
    Client: USER johndoe
  4. Server acknowledges.
    Server: +OK
  5. Client sends password.
    Client: PASS a-very-secure-password
  6. Server authenticates and locks the mailbox.
    Server: +OK johndoe's maildrop has 2 messages (320 octets)

Phase 2: Transaction

  1. Client checks the status of the mailbox.
    Client: STAT
    Server: +OK 2 320
  2. Client lists the messages to get their numbers and sizes.
    Client: LIST
    Server: +OK 2 messages (320 octets)
    Server: 1 120
    Server: 2 200
    Server: .
  3. Client retrieves the first message.
    Client: RETR 1
    Server: +OK 120 octets
    Server: (the server sends the full content of message 1)
    Server: .
  4. After successfully downloading message 1, the client marks it for deletion.
    Client: DELE 1
    Server: +OK message 1 deleted
  5. Client repeats for the second message.
    Client: RETR 2
    ...
    Client: DELE 2

Phase 3: Update

  1. Having finished its tasks, the client ends the session.
    Client: QUIT
  2. The server now permanently deletes messages 1 and 2, releases the lock, and closes the connection.
    Server: +OK dewey POP3 server signing off

5. Security and the Evolution Beyond POP3

Like early SMTP, the original POP3 protocol was designed without strong security in mind. Passwords and emails were sent in clear text. The modern solution to this is POP3S, which encrypts the entire session using SSL/TLS on port 995, and should be considered the minimum standard for security today.

The "Leave Mail on Server" Problem

Most modern email clients offer a setting for POP3 accounts called "Leave a copy of messages on server". While this seems to solve the single-device problem, it creates a new set of issues. The protocol itself has no concept of synchronizing the "state" of a message. This means:

  • If you read an email on your phone, it remains marked as "unread" on your computer.
  • If you delete an email on your computer, it remains in the inbox on your phone.
  • Folders created on one device are not visible on any other device.
  • The "Sent Items" folder is local to the device you used to send the message.

This lack of state synchronization makes POP3 a poor choice for users with multiple devices. This fundamental limitation led directly to the development and widespread adoption of its successor, the Internet Message Access Protocol (IMAP), which is designed from the ground up for server-side storage and multi-client synchronization.

    Post Office Protocol (POP3) | Teleinf Edu